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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 
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DETAILED ACTION 

1 . The amendment filed on 26 March 2007 has been noted and made of record. 

2. Claims 1-17 have been presented for examination. 

Response to Arguments 

3. Applicant's amendments with respect to claim 10 has been frilly considered and is 
persuasive. The objection of claim 10 has been withdrawn 

4. Applicant's amendments with respect to claims 2 and 7 have been fully considered and 
are persuasive. The 35 U.S.C. 112, 2 nd rejection of claims 2 and 7 has been withdrawn. 
Contrary to the Applicant's statement on page 5 of the amendment of 26 March 2007, claim 6 
has not been amended and the 35 U.S.C. 1 12, 2 nd rejection of claim 6 is upheld. 

5. Applicant's arguments regarding the prior art rejection of claim 1-17 filed 26 March 2007 
have been fully considered but they are not persuasive. 

6. Applicant's arguments regarding claims 1 and 8 fail to comply with 37 CFR 1.1 1 1(b) 
because they amount to a general allegation that the claims define a patentable invention without 
specifically pointing out how the language of the claims patentably distinguishes them from the 
references. The Applicant fails to point out with specificity to column and line number of the 
prior art how the claim language of the instant application is different. 

7. In response to applicant's argument that Lawrence does not determine whether a 
prospective vendor to whom a client may be entertaining outsourcing certain work involving 
confidential information, is qualified under government regulations to handle such confidential 
information, a recitation of the intended use of the claimed invention must result in a structural 
difference between the claimed invention and the prior art in order to patentably distinguish the 
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claimed invention from the prior art. If the prior art structure is capable of performing the 
intended use, then it meets the claim. 

8. In response to applicant's argument regarding claims 1 and 8 that the references fail to 
show certain features of applicant's invention, it is noted that the features upon which applicant 
relies, such as determining whether a prospective vendor to whom a client may be entertaining 
outsourcing certain work involving confidential information, is qualified under government 
regulations to handle such confidential information, are not recited in the rejected claims. 
Although the claims are interpreted in light of the specification, limitations from the specification 
are not read into the claims. See In re Van Geuns, 988 F.2d 1 181, 26 USPQ2d 1057 (Fed. Cir. 
1993). 

9. In response to the Applicant's arguments regarding claims 1 and 8 that Lawrence does 
not teach determining whether a prospective vendor to whom a client may be entertaining 
outsourcing certain work involving confidential information, is qualified under government 
regulations to handle such information, the Examiner disagrees. Lawrence discloses at 
paragraph 0014 that the present invention manages risk associated with government regulations, 
which includes gathering data relevant to regulation from multiple sources and aggregating the 
data according to risk variables. The risk variables are partially defined in paragraph 0034 as 
being related to information gathered from lists that are generated by government agencies, such 
as the U.S. Commerce Department. This is further supported by the last sentence of paragraph 
0013 which states "[the] risk information... [can] be conveyed to a compliance department and 
be able to demonstrate to regulators that a financial institution has met standards relating to risk 
containment." 
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10. Since Lawrence teaches determining whether a prospective vendor to whom a client may 
be entertaining outsourcing certain work involving confidential information, is qualified under 
government regulations to handle such information as shown above, the rejection is maintained. 

11. See further rejections that follow. 

Claim Rejections - 35 USC § 112 

12. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

13. Claim 6 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite for failing 
to particularly point out and distinctly claim the subject matter which applicant regards as the 
invention. Claim 6 recites the limitation "the vendor." There is insufficient antecedent basis for 
this limitation in the claim, and the Examiner will construe "the vendor" to be the "second 
parties" disclosed in claim 1 . 

Claim Rejections - 35 USC § 102 

14. The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

15. Claims 1-4, 8, 11, and 13-15 are rejected under 35 U.S.C. 102(a) and 35 U.S.C. 102(e) as 
being anticipated by U.S. Patent Application Publication No. 2002/0 1 3 84 1 7. 

16. As per claim 1, Lawrence teaches a transaction involving a disclosure of confidential 
information by first parties to second parties (paragraph [0014], i.e. financial transaction), 
requiring the second parties to adopt security measures with respect to the handling of the 
information and periodically respond to requests of the first parties for assurances of the 
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implementation and observance of the security measures (paragraphs [0002], [0016], [0017]), a 
method for providing the assurances to the first parties, comprising: 

arranging with a selected number of the second parties to acquire, compile and store in a 
database information regarding the adoption, implementation, and observation of security 
measures for each of the selected number of second parties (Figures 3 [block 312], 4 [block 410], 
paragraphs [0031], [0079], i.e. gathers and stores information in a database related to a risk 
assessment of a party involved in a financial transaction); 

arranging with a selected number of the first parties subscription services providing the 
selected number of first parties with assurances of the security measures of the selected number 
of second parties upon request (Figures 1 [block 1 1 1], 2 [blocks 220, 221], paragraphs [0035], 
[0037], [0067], i.e. subscriber's request for information); and 

providing the assurances of the security measures of the selected number of second 
parties to the selected number of first parties upon request (Figures 3 [block 319], 4 [block 418], 
5 [block 517] paragraph [0013], [0031], [0032], [0088], [0091], [0097], i.e ? convey that a 
financial institution complies with government standards relating to risk containment, scrubbed 
and augmented data is transmitted to a subscriber that relates risk variable involved in a financial 
transaction). 

17. Regarding claims 2 and 13, Lawrence teaches updating the security measures information 
stored in the database for each second party periodically (paragraphs [0079, [0094], i.e. ongoing 
monitoring). 
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18. Regarding claim 3, Lawrence teaches updating the security measures information stored 
in the database upon a notification by a respective second party (paragraphs [0031], [0039], i.e. a 
financial institution can integrate a risk management clearinghouse) and verification by a third 
party (paragraph [0080], i.e. source of risk variable by other provider of risk management data, 
such as a government agency). 

19. Regarding claims 4 and 11, Lawrence teaches wherein the acquisition, compilation and 
storage of the security measures information of the selected number of second parties is 
performed at no cost to the selected number of second parties (Figures 3 [block 312], 4 [block 
410], paragraphs [003 1], [0079], i.e. gathers and stores information in a database related to a risk 
assessment of a party involved in a financial transaction). Lawrence makes no mention of a cost, 
fee or surcharge associated with the accumulation of risk related data anywhere in the patent 
application. 

20. As per claim 8, Lawrence teaches a method for providing security information on a 
plurality of vendors to a plurality of clients, comprising: 

providing an assessment of security procedures adopted, implemented and observed for 
each of the plurality of vendors (Figures 3 [block 312], 4 [block 410], paragraphs [0031], [0079], 
i.e. gathers and stores information in a database related to a risk assessment of a party involved 
in a financial transaction); 

storing each assessment in a vendor security database (Figures 1 [block 1 12], 2 [block 
210], paragraphs [0031], [0042], [0043], [0054], [0058], [0060]); 
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providing access to the vendor security database to each client to allow each client to 
review the plurality of assessments (Figures 3 [block 3 1 9], 4 [block 41 8], 5 [block 517], 
paragraphs [0063], [0086], i.e. a subscriber will be able to access the database). 

2 1 . Regarding claim 14, Lawrence teaches wherein the assessment is updated whenever the 
vendor updates its security procedures, the updates are verified and provided to the VMS 
(paragraphs [0093], [0094], i.e. RMC monitors for and stores updates). 

22. Regarding claim 1 5, Lawrence teaches wherein each assessment comprises one or more 

of S AS70 reports, Penetration Reports, Information Security Policies, Computer Incident 

i 

Response Policies, DR Plans, Business Resumption Plans, Insurance Coverages, 3rd Party 
Vendor Management Policies & Programs and Annual Financial Reports (paragraphs [0003]- 
[0005], [0008], [0017], [0035], i.e. SAS 70 reports include the suspicious activity reports 
disclosed in Lawrence). 

Claim Rejections - 35 USC § 103 

23. The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

24. Claims 5-7, 9, 10, 12, 16, and 17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lawrence in view of U.S. Patent Application Publication No. 2004/0193907 to 
Patanella, hereinafter Patanella. 
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25. Regarding claims 5 and 12, Lawrence teaches wherein the access provided to each client 
is a subscription service (Figures 1 [block 1 1 1], 2 [blocks 220, 221], paragraphs [0035], [0037], 
[0067]). 

26. Lawrence does not teach rendering the subscription services for a fee. 

27. Patanella discloses a cost-effective method for assessing a network for compliance with a 
number of regulations, policies, or standards in paragraph [0008]. One of ordinary skill in the 
art would infer that since there is a cost associated with the method, therefore a fee could be 
charged to subscribers. 

28. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to render the subscription services for a fee, since Patanella states at paragraph [0006] 
that the reporting capabilities of the previous system are immature and require highly technical 
personnel to analyze and make sense out of the results. Therefore, one of ordinary skill in the art 
would recognize the need for a subscription fee to pay the technical personnel to translate and 
present the reports to the users in a clear and concise manner. 

29. Regarding claims 6, 7, 16 and 17, Lawrence does not teach providing a rating for each 
second party based upon a type of the confidential information and the security measures of the 
second party. 

30. Patanella teaches providing a rating for each second party (Figure 7, paragraph [0017], 
i.e. low risk, medium risk, high risk, information risk) based upon a type of the confidential 
information (paragraphs [0069], [0070], i.e. compares to industry average, for example, for 
financial institutions) and the security measures of the second party (paragraphs [0017], [0069], 
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[0070], i.e. defining the security levels, such as high risk refers to the system being 
compromised, that requires immediate attention). 

31. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to provide a rating based upon confidential information and/or security measures of 
the vendor, since Patanella states at paragraph [0008] and [0069] that providing a rating allows 
the user to view the most vulnerable systems in a ranking that is cost-efficient and permits the 
user to see which systems require the most attention, as well as suggest possible fixes to patch 
certain vulnerabilities. 

32. Regarding claims 9 and 10, Lawrence does not teach wherein the assessment is provided 
at cost or fee to the vendor. 

33. Patanella discloses a cost-effective method for assessing a network for compliance with a 
number of regulations, policies, or standards in paragraph [0008]. One of ordinary skill in the 
art would infer that since there is a cost associated with the method, therefore some type of cost 
or fee could be charged to the vendor. 

34. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to charge the vendor, since Patanella states at paragraph [0006] that the reporting 
capabilities of the previous system are immature and require highly technical personnel to 
analyze and make sense out of the results. Therefore, one of ordinary skill in the art would 
recognize the need for a charge to the vendor to pay the technical personnel to translate and 
present the reports to the users in a clear and concise manner. 
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Conclusion 

35. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

36. A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 

CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

37. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Christian La Forgia whose telephone number is (571) 272-3792. 
The examiner can normally be reached on Monday thru Thursday 7-5. 

38. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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39. Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Christian LaForgia 
Patent Examiner 
Art Unit 2131 



clf 



